Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2009-5022 — Improper Restriction of Operations within the Bounds of a Memory Buffer in Tiff

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-228 — Improper Handling of Syntactically Invalid Structure9 documents8 sources

Severity

6.8MEDIUMNVD

EPSS

16.6%

top 5.07%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Debian Tiff Libtiff

Timeline

PublishedMay 3

Latest updateMay 2

Description

Heap-based buffer overflow in tif_ojpeg.c in the OJPEG decoder in LibTIFF before 3.9.5 allows remote attackers to execute arbitrary code via a crafted TIFF file.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages2 packages

▶NVDlibtiff/libtiff3.9.4+24

▶debiandebian/tiff< tiff 3.9.5-1 (bookworm)

Patches

Patch: www.remotesensing.org ↗Patch: www.remotesensing.org ↗

🔴Vulnerability Details

GHSA

GHSA-c6jf-8jhf-3f5j: Heap-based buffer overflow in tif_ojpeg↗2022-05-02

▶

OSV

CVE-2009-5022: Heap-based buffer overflow in tif_ojpeg↗2011-05-03

▶

💥Exploits & PoCs

Exploit-DB

IrfanView - '.TIF' Image Decompression Buffer Overflow↗2012-11-13

▶

📋Vendor Advisories

Ubuntu

tiff vulnerability↗2011-04-21

▶

Red Hat

libtiff ojpeg buffer overflow↗2009-02-09

▶

Debian

CVE-2009-5022: tiff - Heap-based buffer overflow in tif_ojpeg.c in the OJPEG decoder in LibTIFF before...↗2009

▶

💬Community

Bugzilla

CVE-2009-5022 CVE-2010-4665 libtiff various flaws [fedora-all]↗2011-04-13

▶

Bugzilla

CVE-2009-5022 libtiff ojpeg buffer overflow↗2011-04-12

▶